The preceding example shows the use of the -o (lowercase
letter o) option to specify SASL options. The realm is
optional, but if specified, it must be the fully qualified domain name of
the server host machine. The authid and authzid must
both be present and identical, although the authzid intended
for proxy operations is not used. The -w password option
applies to the authid.

The value of authid is the Principal used in identity
mapping. The authid should contain either the dn: prefix
followed by a valid user DN in the directory, or the u: prefix
followed by any string determined by the client. This use of authid allows
you to use the mappings that are shown in DIGEST-MD5 Identity Mappings.

The most common configuration is for an SSL connection to provide encryption
over the LDAPS secure port and DIGEST-MD5 to provide the client authentication.
The following example performs the same operation over SSL:

In this example, the -N and -w options
are required by the ldapsearch command, as the operation
is performed over SSL. However , these options are not used for client authentication.
Instead, the server performs another DIGEST-MD5 identity mapping of the Principal
in the authid value.